At a glance.
- Demand for digital identity verification.
- Screen sharing and privacy.
- Policy oversharing data with colleagues.
- Facial recognition software.
- Cisco Talos warns of vulnerabilities in Open Automation Software Platform.
- Twitter's FTC settlement.
Study demonstrates need for digital identity verification.
A new study from end-to-end identity proofing provider Jumio explores the impact of the growing use of digital identity on consumer preferences and expectations. After surveying 8,000 consumers split evenly across Singapore, the UK, US, and Mexico, the study found that Singapore is the country where digital identity has the greatest impact. On average, Singaporeans access twelve online accounts each week, and 70% of respondents said they use their digital identity “constantly” or “often” to access these accounts. Overall, 68% of consumers feel it’s important to use a digital identity when using an online financial service; 52% say the same about healthcare providers and 42% for social media sites. “As our use of online services only continues to grow, organizations are clearly implementing the robust identity verification methods required to prevent against the risks associated with virtual services,” said Philipp Pointner, Jumio’s Chief of Digital Identity. “Implementing these kinds of solutions should be a ‘when,’ not a ‘maybe,’ and will now ultimately determine whether a consumer chooses your business over another.”
Sharing your screen comes with unseen risks.
The very nature of browser extensions makes them a risk, given that in order to “extend” and alter the behavior of the browser, they have to be able to override controls imposed by the browser itself. Naked Security offers a closer look at Screencastify, an extension that captures a user’s screen so they can share it with other users. The popular extension has over 10 million users and is considered Chrome’s most installed screen recorder. Security researcher Wladimir Palant decided to look into how Screencastify functions and found that at least six Screencastify subdomains were operated by third parties, meaning users were unknowingly giving silent access to their webcams and Google Drive not just to Screencastify, but also six other providers. Palant’s findings demonstrate that in using any browser extension, the user may be exposed to more risk than they may be aware of.
Northern Ireland Police wrongly share personal data with US law enforcement.
The UK Information Commissioner's Office has confirmed it’s investigating a data breach in which the Police Service of Northern Ireland (PSNI) accidentally shared the personal data of one hundred fifty-two people with foreign law enforcement agencies, the BBC reports. First reported by the Belfast Telegraph, the incident involves data shared with US law enforcement agencies that may have influenced police decisions in allowing people to travel to the country. According to Phoenix Law, which is representing some of the impacted individuals, many of the victims had no criminal record that would warrant the PSNI retaining their personal data. PSNI Chief Superintendent Sam Donaldson stated, “This is an issue we take extremely seriously and as part of our investigation we made a self-referral to the office of the Police Ombudsman and informed the Information Commissioner's Office."
A picture is worth…about thirty bucks.
The New York Times investigates PimEyes, a shockingly powerful face search engine accessible to anyone willing to pay the low, low price of $29.99 a month. PimEyes was able to find the faces of Times journalists in a variety of situations that would confound other search engines: behind a surgical mask, partially covered by a hand, in a crowd of concert-goers, and even from decades past. (Alarmingly, when PimEyes erroneously tied a search result to an image of a female subject, the result was often from a pornography site.) The owner of PimEyes, Giorgi Gobronidze, says the tool is intended to be used only by those searching for their own faces or for those of consenting individuals, and the tool is intended to help users stay abreast of where their pics can be found online. However, PimEyes has no controls in place to prevent users from searching for faces that are not their own, instead relying on the honor system, and users admitted to using the tool to dox social media users or find explicit photos of friends. What’s more, if a user does find images that are inaccurate or undesirable, PimEyes provides no recourse. Ella Jakubowska, a policy adviser at European Digital Rights, a privacy advocacy group, described PimEyes as “stalkerware by design no matter what they say.” A German data protection agency last year launched an investigation into PimEyes for possible violations of the General Data Protection Regulation; the probe is still ongoing.
Cisco Talos warns of vulnerabilities in Open Automation Software Platform.
Researchers at Cisco Talos have discovered eight vulnerabilities in the widely used Open Automation Software Platform. As Talos explains in their report, "The OAS Platform facilitates the simplified data transfer between various proprietary devices and applications, including software and hardware." The vulnerabilities are complex and implicate not only data privacy, but other aspects of security as well. The OAS Platform's issues have now been addressed.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, commented on the report:
“Vulnerabilities that can affect industrial control devices are among the scariest cybersecurity threats today. In many cases industrial control devices are responsible for the operation of highly sensitive processes involved in utilities and manufacturing. An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities, but an attack can also be something that may not be immediately obvious. The infamous Stuxnet worm was a case study on these risks as it didn’t immediately break the industrial control devices it targeted but altered their function in such a way to cause critical industrial components to eventually catastrophically fail, all while falsely reporting back to monitoring systems that everything was operating normally.
"Due to their nature, taking these systems offline to apply security patches can be immensely disruptive and this can mean that the application of patches that protect the devices can be delayed months or years. Another issue is that due to their sensitive nature, industrial control networks are often air gapped from the internet and any other network in the hopes that the isolation will provide protection from normal cyberattack pathway such as phishing or credential stuffing over the internet. While air gapping can be a powerful control to mitigate risk of cyberattack, it is not a silver bullet. In fact, in some instances it can be a double-edged sword. Malicious USB devices have been leveraged several times to spread malware on to air gapped networks, and unless special considerations have been made to perform security patching on the isolated network, the malicious code often finds itself in an environment that’s ripe for exploitation.
"To protect themselves, organizations that depend on industrial control devices need to adopt a culture of cybersecurity that considers every potential attack vector. Air-gapping can be a powerful first line of defense, but it’s critical that it not be the only one. Organizations should still ensure that they are hardening systems, have the ability to patch when necessary, and have secondary systems to ensure that taking a single device offline to patch doesn’t cause operational disruptions.”
Comment on Twitter's settlement with the FTC.
Twitter's settlement with the Federal Trade Commission, coming as it does while talks of an acquisition with Elon Musk are in progress, addresses some concerns over the platform's handling of personal data. The Wall Street Journal has a summary of what's at stake in the settlement. Paul Bischoff, Internet privacy advocate with Comparitech, commented on yesterday’s announcement that Twitter will pay a $150 million penalty for data privacy misrepresentations: "In 2019, Twitter admitted to using users' phone numbers, which were submitted in order to enable two-step verification, for advertising purposes. This violated both EU and US laws. Now we're finally seeing the outcome. What's interesting is that despite an admission of guilt, it took nearly three years for the FTC and DOJ to reach a settlement, no criminal charges were filed, and no court precedent was set. I would like to see more accountability for billion-dollar corporations."